[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf and detection of non-resolvable ip numbers
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf and detection of non-resolvable ip numbers
- From: Joachim Schipper <j_(_dot_)_schipper_(_at_)_math_(_dot_)_uu_(_dot_)_nl>
- Date: Thu, 13 Apr 2006 16:21:23 +0200
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
On Thu, Apr 13, 2006 at 01:58:10PM +0200, Michael Schmidt wrote:
> Lars Hansson wrote:
> >On Thursday 13 April 2006 18:05, Michael Schmidt wrote:
> >>reading several man pages did give no answer to this:
> >>Is there a way within pf that pf can detect especially those ip numbers
> >>which do not belong to a hostname, in other words which are not
> >>resolvable to hostnames?
> >No. Perhaps you could create some ugly cludge by logging all and have a
> >cron job read the pflog logfile and do reverse lookups but I highly doubt
> >it would be feasible or even work.
> Meanwhile I have seen after having sent my initial mail that there is a
> way similar to your suggestion without the need of explicit dns lookups,
> as it includes implicit lookups.
> In the pf.conf if you have any rule combined with log functionality then
> its logged into the pflog file, that file contains either hostnames or
> ip numbers, in case of ip numbers the ip numbers could not be resolved
> to hostnames.
> This behaviour is that a stand one?
Yes, it is standard behaviour of tcpdump(8). See -n, and pflogd(8).
DNS lookups would slow pf(4) down by far too much. Don't try it.
> >>The reason why I am asking is that I want to catch especially these
> >I cant help but ask why?
> You are right to ask why.
> The reason is I want to achieve this task: We have a few bad users which
> give themselves ip numbers (free unused ones out of our pool), I want to
> catch the ip numbers taken by those users.
There are several wrong ways to go about this, you picked one.
ISTR a patch to dhcpd appearing on the tech@ list a month or so ago,
that would be one proper solution. However, whether you use this one or
some homegrown script, the point should be to add authentic IPs to a
table and filter on the table.
However, if your network is not physically secure, the fun only begins
with people giving themselves some random IP address. And some
protocols - anything UDP-based, for instance, and TCP on buggy stacks,
and ... - can be spoofed easily, anyway.
 Assuming this is not just someone trying to be smart, or trying to
get things done without configuring dhcp for some reason.
Visit your host, monkey.org